Sherman's Security Blog
I am Sherman Hand. (also known as Policysup) I have created this blog and will use a part of my day to write about what is going on in the world. I hope to discuss things in a down to earth and practical way. I hope to hear back from you on your thoughts. I do not in any way intend to speak for my employer. The content of this blog will be either opinions that are strictly mine, general observations,re posts, or information that is already in the public domain.

He grabbed a forensic image of a phone running Snapchat, found a directory called received_image_snaps and looked in it.

Both unviewed and expired images were still there.

If Hickman’s analysis is correct (and it certainly seems to be), Snapchat relies on two steps to make your images “disappear”:

It adds the extension .nomedia to the filenames, which is a standard Android marker that says, “Other apps should ignore this file. Do not index it, thumbnail it, add it to any galleries, or whatnot. Leave it to me.”

It adds a record to its own database to say, “The following image should be treated as though it doesn’t exist. Leave it to me, and I will pretend it has disappeared forever.”

Just as egregiously, Snapchat doesn’t even come close to guaranteeing that your images get deleted from its own servers once they’ve been delivered:

When you send or receive messages using the Snapchat services, we temporarily process and store your images and videos in order to provide our services. Although we attempt to delete image data as soon as possible after the message is received and opened by the recipient (and after a certain period of time if they don’t open the message), we cannot guarantee that the message contents will be deleted in every case.

So when you share that “ugly selfie”, where does it end up?

It’s stored on your phone, but you’d expect that because you took it, so that’s your lookout.

It’s stored on Snapchat’s servers, where it will probably be deleted once it’s been delivered, but not in every case.

And it’s stored on the recipients’ phones, from where it apparently won’t be deleted at all, though it will be marked “not for display,” which seems to be synonymous in Snapchat’s argot with “disappears forever”.

What to do about this?

The obvious first step is to share snapshots only if you don’t mind them hanging around forever.

The second step is to stop using Snapchat until these issues get fixed.

And the third is to write to the Snapchat guys and suggest that they could use cryptography and positive erasure to come much closer to fulfilling their promises, so you can start using their app again.

Here are some cryptographic tricks that Snapchat might consider:

When user X signs up, generate a public/private key pair on his device and send the public key to the Snapchat servers.

When storing an image for delivery to X, encrypt it with X’s public key so it can’t be decrypted unless and until X receives it on his device. That way, images implicitly ‘disappear’ from the Snapchat servers even before they are delivered.

Encrypt each image delivered to X’s device with a random key, and keep the key on the Snapchat server until X requests to view the image. That way, the key and the decrypted image only ever need to exist in memory on X’s device, and thus implicitly ‘disappear’ once viewed.

When ‘disappearing’ an image, positively erase (i.e. actively overwrite) the random key off the Snapchat servers. Without the key, the encrypted image becomes shredded cabbage.

When ‘disappearing’ an image, positively erase the encrypted image file on X’s device, just in case the key survived, for defence in depth.